Penetration Testing mailing list archives
Re: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall
From: Steve Hall <yjc62 () DIAL PIPEX COM>
Date: Tue, 23 Jan 2001 23:54:18 -0000
The following is a guess so treat it as such ;-) SunScreens have a state table, which at default is quiet small. This fills quickly for sessions that are incomplete or have bombed. Search on SunSolve for this and you'll find two postings, numbers I cant remember atm, and these allow you to : 1. Increase the frequency that the table is cleared, i think it is 24 hours at default 2. Increase the size of the table, which again is 10000 at default from memory. Hope this helps. -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Vernon Vernon Sent: 23 January 2001 08:11 To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall Hi All, Currently my team has performed a SYN-Flood attack at one site as part of the penetration test that running SunScreen EFS on SunOS 5.6. We perform the attack using TFN2K and managed to halt the server by using only one attack machine. (The throughtput is around 300-500k) Originally, the SunOS kernel parameters tcp_ip_abort_cinterval & tcp_conn_req_max_q0 should be able to address this issue. We have tested the following values: tcp_ip_abort_cinterval = 60,000 tcp_conn_req_max_q0 = 2048/4096/even 300,000 However, it doesn't seem to be effective. We can still DoS the firewall by one machine. We have discussed with the vendor and the vendor cannot explain why these not work. They explained that they only know this countermeasure (at OS level) to defense SYN-Flood for Sun Machine. Apart from using NIDS or configuring router to provide SYN-Flood countermeasures (which is quite costly), Is there something wrong for the above settings or any other things that can be done at OS level to address this problem? Thanks a lot, Vernon _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Current thread:
- [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall Vernon Vernon (Jan 23)
- Re: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall Ryan Russell (Jan 23)
- Re: [PEN-TEST] Any countermeasure for SYN-Flood to SunScreen Firewall Steve Hall (Jan 23)